Colorado Supreme Court
Office of Attorney Regulation Counsel
Promoting Professionalism. Protecting the Public.
11 Tips to Safeguard Clients’ Digital Information
Implementing these measures can help address your ethical obligations in the cyberspace era.
By JILL FERNANDEZ
We live in a mobile world, full of laptop computers, tablets, smart phones and even wearable electronic devices. We also live in a connected work, surrounded by seemingly endless options for wireless connectivity. These advances in technology have been both a boon and bane to lawyers.
Threats to data housed on computers, in mobile devices and in information storage systems used by attorneys are at an all-time high. These threats range from the mundane to the incredibly sophisticated. As attorneys continue to embrace the latest technology, it is critical for us to understand and address the ethical obligations that go hand in hand with these cyberspace opportunities.
Some of these obligations arise from our Rules of Professional Conduct. Others arise from common law rules of reasonable care. Duties may also arise from contracts with clients, especially those clients working in regulated industries such as banking, insurance and health care, or from the myriad of state and federal privacy law and regulations. (For a full discussion of the ethical underpinning to the following guidelines, read below.)
Entire books have been written about the subject of cyber security for lawyers. However, for those of you who need a place to get started, consider implementing the following precautionary measures:
1. Safe guard the physical security of your mobile devices.
Perhaps the simplest way to safeguard electronic client confidences is to secure the devices containing them. Keep in mind that the single most stolen items in airports are laptops and tablets. Roughly 10 percent of all cell phones (some 30 million) “go missing” each year. A full 40 percent of armed robberies include smartphones and more than 19 percent of users reporting having dropped their smartphone into a toilet!
2. Use a strong password (or PIN) on all electronic devices that contain client information, including flash drives.
Most eight character passwords can be cracked in less than 2 hours, whereas a twelve character password will take in excess of 17 years to decipher. Don’t accept the four-digit security options that are offered as the default on most data devices. Experts recommend that you never use the same password in multiple places and that you change all of your passwords at least every 90 days.
3. Use encryption on all mobile devices, including flash drives.
Encryption options are expanding rapidly and are available on virtually every electronic data device. They can secure data at rest (on desktops, laptops, servers or portable media) and data in motion (over wired or wireless networks and the internet.) There are also a variety of specialty thumb drives on the market, like the IronKey, which come preloaded with sophisticated encryption software. There is also a free encryption tool, TrueCrypt, which can used to turn just about any thumb drive into a highly secure encrypted drive.
4. Pay attention to basic security set-up on your new devices that may allow you to:
a. Encrypt the device,
b. Enable auto-logoff,
c. Disable interfaces that are not being used (Bluetooth, WiFi, etc.),
d. Set auto-wipe after a fixed number of failed logon attempts,
e. Enable remote location, locking, and wiping if the device is lost, and
f. Expand password and PIN choices to make them more secure.
5. Consider the use of third-party security applications (antivirus, encryption, remote locating and wiping, etc.)
6. Avoid public WiFi sites and configure web accounts to use only secure connections – secure socket layer (SSL) or virtual private networks (VPN).
7. Limit confidential data on phones and tablets to only that which is immediately necessary.
Just because your mobile device can house a huge volume of data, doesn’t mean that it should be used for this purpose. Given the frequency of loss and theft of mobile devices, think twice before down loading sensitive data in bulk.
8. Back up all important data – especially if you enabled “wipe” functions.
9. Secure or encrypt all confidential data transfers, including email.
Email is a very common example of how lawyers transfer confidential data. Email is simple to encrypt and email attachments can be easily password protected. Secure email services are also available from various managed message service providers. As an alternative to email, lawyers can also exchange information by using secured file sharing and transfer options.
10. Use caution in the selection and use of “Cloud” based data services.
11. Have, and disseminate to staff, a comprehensive policy that defines the requirements for using firm-issued or personal mobile devices and have a mobile device management plan in place to control security setup and other aspects of secure use.
Lawyers have a duty to safeguard their clients’ information in cyberspace under several of Colorado’s Rules of Professional Responsibility, beginning with Rule 1.1 concerning lawyer competence. “Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonable necessary for the representation.” Our Colorado rule directly corresponds with the Model Rule 1.1. In August 2012, the formal comments to Model Rule 1.1 were amended to make it clear that “… a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology….” The duty of competence requires that attorneys know what technology is necessary in their practice and how to use it. However tempting (or truthful) it may be, you should know that pleading technical incompetence will no longer work for lawyers, even in the complex world of e-discovery compliance.
Rule 1.6 governing the confidentiality of information is at the very core of our ethical obligations. The Rule directly proclaims that “A lawyer shall not reveal information relating to the representation of a client....” According to the comments to this Rule, “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons participating the representation of the client or who are subject to the lawyer’s supervision.” The duties to supervise both subordinate lawyers as well as non-lawyer personnel are codified in Rule 5.1 and 5.3, respectively.
Rule 1.4 also applies to a lawyer’s use of technology. It requires appropriate communications with clients “about the means by which the client’s objectives are to be accomplished,” including the use of technology. It requires keeping a client informed, and depending on the circumstances, may require obtaining a client’s consent to the use of certain technologies. It most certainly requires notice to a client in the event that there’re has been any compromise of that client’s information.
While it is now possible to work from literally anywhere at any time, this freedom carries with it concerns about security and heightened professional duties toward your clients. A security lapse can result not only in expensive work disruptions, frustrated clients, and angry colleagues, it can also result in professional discipline. Proceed thoughtfully and with caution!
Jill Fernandez is Assistant Regulation Counsel in the Office of Attorney Regulation Counsel.
 There are also a growing number of state ethics opinion that have addressed professional responsibility issues related to security in attorney’s use of various technologies. There are now several ethics opinions on attorneys’ use of cloud computing, which involves cyber security, outsourcing, and a number of additional ethical considerations. The ABA Legal technology Resources Center has published a summary with links, “Cloud Ethics Opinions Around the U.S.,” available at www.americanbar.org/groups/departments offices/legal technology resources/resources.charts_fyis/cloud-ethics-chart.html.
 The common law duties are defined by case law in the various states and explained in the Restatement (3rd) of the Law Governing Lawyers (2000). See, Section 16(2) of competence and diligence, Section 16(3) on complying with obligations concerning client confidences, and Chapter 5, “Confidential Client Information.”
 Garcia v. Berkshire Life Ins. Co, N.A. (D. Colo. 2007).